r , 

1 USER AUTHENTICATION METHOD, AND STORAGE MEDIUM, 

2 APPARATUS AND SYSTEM THEREFOR 

3 Field of the Invention 

4 The present invention relates to a user authentication 

5 method used, for example, for a computer system 

6 connected to a network; a storage medium on which a user 

7 authentication program is stored; a user authentication 

8 apparatus; and a user authentication system. In 

9 particular, the present invention pertains to a user 

10 authentication method, for authenticating relations 

11 existing between a prover computer, equipped with a 

12 public key, and a plurality of verifier computers; a 

13 storage medium on which such a user authentication 

14 program is stored; and a user authentication apparatus 

15 and an authentication system therefor. 

16 Background Art 

17 On a network, users are often required to participate in 

18 some sort of authentication process to identify 

19 themselves. An authentication process in this case 

20 refers to a process whereby a prover, by following the 

21 rules of a specific protocol, proves his or her identity 

22 to a verifier, a requisite electronic commerce 

23 technique. When, for example, a user desires to prove 
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1 his or her identity to a server, the user functions as a 

2 prover and the server functions as a verifier. Whereas 

3 when a server desires to prove its identity to a user, 

4 the server functions as a prover and the user functions 

5 as a verifier. Such authentication techniques are not 

6 limited in their application to intercourse between 

7 users and servers, but are widely employed as mutual 

8 identification methods by arbitrarily paired computers. 

9 Recently, the user authentication processes that are 

10 employed are based on public key encryption: a prover 

11 has both a public key and a secret key, and when the 

12 prover desires to prove his or her identity, he or she 

13 employs a specific protocol to notify a verifier that he 

14 or she has a secret key that corresponds to the public 

15 key. 

16 The Schnorr method is a well known, representative user 

17 authentication technique ("Efficient Signature 

18 Generation by Smart Cards", CP. Schnorr, Journal of 

19 Cryptology, Vol. 4, No. 3, pp. 161-174, 1991). According 

20 to this technique, a prover proves to a verifier that he 

21 or she holds a secret key corresponding to a public key. 

22 As one conventional example, a summary of Schnorr F s user 

23 authentication method will now be given while referring 

24 to Fig. 3. System parameters used by this method are 

25 prime numbers p and q (qlp-1) and the element g € Zp of 

26 the order q. The public key of the prover is v (v = g" s 

27 mod p) , and the secret key of the prover is s e Zq. In 
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1 the following explanation, assume that the prover and 

2 the verifier obtain in advance the prime numbers p and q 

3 and the element g, which are system parameters, and that 

4 the verifier obtains in advance the public key v of the 

5 prover. 

6 According to this method, the verifier and the prover 

7 exchange data in the following manner. 

8 Step 1: The prover generates a random number a e Zq, 

9 calculates A = g a mod p, and transmits it to the 

10 verifier. 

11 Step 2: The verifier generates a random number b (b € 

12 Zq) , and transmits it to the prover. 

13 Step 3: The prover calculates c = a + bs mod q, and 

14 transmits it to the verifier. 

15 Step 4: The verifier determines whether A = V b g c mod p is 

16 established. If this equation is established, the 

17 verifier ascertains that the identity of the prover is 

18 correct. If this equation is not established, the 

19 verifier ascertains that the identity of the prover is 

20 incorrect, and rejects the communication. 

21 The Schnorr method is the most efficient of all the 

22 methods based on the discrete logarithm program, and 

23 only three communications are required. However, the 

24 safety of the communications is not guaranteed. That 

25 is, in the process of following the procedures defined 

26 in the protocol and communicating across the network, 

27 the secret key s of the prover may be revealed. 
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1 Therefore, the safety of such a data exchange between 

2 prover and verifier should be evaluated, i.e., the user 

3 authentication process (the exchange of messages, etc.). 

4 For this evaluation, i.e., of the safety of the user 

5 authentication process, a zero-knowledge technique is 

6 well known ("The Knowledge Complexity of Interactive 

7 Proofs", S. Goldwasser, S. Micali, and C. Rackoff, 

8 Proceedings of 17th Symposium on Theory of Computing, 

9 pp. 291-304, 1985). In this instance, the zero 

10 knowledge property represents that no information 

11 concerning the secret key of the prover is revealed, and 

12 thus, when the zero knowledge property is achieved, the 

13 safety of the user authentication method is guaranteed. 

14 The zero knowledge property can be achieved by a partial 

15 correction to the Schnorr authentication method ("How to 

16 prove yourself: practical solution to identification and 

17 signature problems", A. Fiat and A. Shamir, Proceedings 

18 of Crypto 1 86, 1980). Specifically, when the Schnorr 

19 authentication method is corrected so that the verifier 

20 generates a random number be {0, 1} and so that the 

21 procedures in the protocol are sequentially performed 0 

22 (log q) times, the zero knowledge property is achieved. 

23 That is, when the subsequent protocol procedures are 

24 performed 0 (log q) times, and if the verifier accepts 

25 the identity of the prover in all the performances of 

26 the protocol procedures, the identity of the prover is 

27 verified. 

28 Protocol] 
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1 Step 1: The prover generates a random number a e Zq, 

2 calculates A = g a mod p and transmits the random number A 

3 to the verifier. 

4 Step 2: The verifier generates a random number b e {0, 

5 1}, and transmits the random number b to the prover. 

6 Step 3: The prover calculates c = a + b s mod q, and 

7 transmits the result c to the verifier. 

8 Step 4: The verifier determines whether A = v b g c mod p 

9 has been established. When the equation has been 

10 established, the verifier concludes that the identity of 

11 the prover is correct. If the equation is not 

12 established, the verifier concludes that the identity of 

13 the prover is incorrect, and rejects the communication. 

14 As described above, although the number of 

15 communications is increased to O(log q) , the zero 

16 knowledge property is achieved. Besides the Schnorr 

17 method, many other user authentication methods have been 

18 proposed that achieve the zero knowledge property. 

19 Problems to be Solved by the Invention] 

20 However, to achieve the zero knowledge property for the 

21 conventional user authentication, it is proposed that 

22 one prover correspond to one verifier, and that the zero 

23 knowledge property will be achieved only when the prover 

24 and the verifier complete the performance of the 

25 protocol procedures using one-to-one correspondence (see 

26 Fig. 4). That is, when the prover must perform the 

27 protocol with multiple verifiers, there is no guarantee 

28 that the zero knowledge property will be achieved 
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("Concurrent Zero-Knowledge", C. Dwork, M. Naor and A. 
Sahai, Proc. Of 30th STOC, 1998). 

For example, on an asynchronous network, such as the 
Internet, multiple computers simultaneously communicate 
with each other, and a prover may also be required to 
simultaneously perform the protocol procedures with 
multiple verifiers. On the WWW (the World Wide Web), an 
HTTP (Hyper Text Transfer Protocol: the protocol used by 
WWW servers and WWW browsers or Web browsers to exchange 
such data as files) server is requested to verify its 
identity through simultaneous communication exchanges 
with multiple connected clients (see Fig. 5) 

Summary of the Invention 

To resolve the above shortcoming, it is one object of 
the present invention to provide a user authentication 
method whereby, even when multiple verifiers are in 
simultaneous communication with a prover, a user can be 
safely authenticated while at the same time the zero 
knowledge property is achieved, as well as a storage 
medium on which such a user authentication program is 
stored, and a user authentication apparatus and a user 
authentication system therefor . 

To achieve the above object, according to one aspect of 
the present invention, a user authentication method, 
whereby a one-way function F, which should satisfy v = 
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1 F(g, -s), is determined by employing an integer g that 

2 is defined in advance for a relation between a public 

3 key v and a secret key s of a prover computer, and 

4 whereby a relation is verified between the prover 

5 computer and each of multiple verifier computers, 

6 comprises the steps of: the prover computer generating a 

7 random number a, obtaining a cryptogram A = the function 

8 F(g, a), and transmitting the cryptogram A to the 

9 verifier computers; the verifier computers generating a 

10 random number b, obtaining a cryptogram B = the function 

11 F(g, b) and a cryptogram X = the function F(A, b) , and 

12 transmitting the cryptograms B and X to the prover 

13 computer; the prover computer determining whether a 

14 relation of the cryptogram X = the function F (B, a) has 

15 been established and generating a random number c when 

16 the relation has been established, obtaining a 

17 cryptogram C = the function F(g, c) and a cryptogram Y = 

18 the function F(B, c) , or a cryptogram C = the function 

19 F(A, c) , a cryptogram Y = the function F(X, c) and a 

20 cryptogram Z = a function H(a, Y, s), and transmitting 

21 the cryptograms C and Y or the cryptograms C, Y and Z to 

22 the verifier computers; and the verifier computers, when 

23 the cryptogram Y = the function F(C, b) and the 

24 cryptogram A = a function J(v, Y, g, Z) are established, 

25 determining that the relation between the prover 

26 computer and the verifier computer is correct. 

27 The public key v is obtained by employing prime numbers 

28 p and q that satisfy (q|p - 1), and by defining an 

29 element of the order q as the integer g. 
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1 By using the public key v and the secret key s, the 

2 function F acquires a relation v = F(g, -s) = g~ s mod p. 

3 When a relation X = B a mod p is established, the prover 

4 computer generates the random number c. 

5 The function H has a relation H(a, Y, s) = a + Ys mod q. 

6 The function J has a relation J(v, Y, g, Z) = v Y g z mod p. 

7 According to another aspect of the invention, a storage 

8 medium is provided on which a user authentication 

9 program, which is to be read by a prover computer, is 

10 stored whereby a one-way function F, which should 

11 satisfy v = F(g, -s), is determined by employing an 

12 integer g, which is defined in advance for the relation 

13 between a public key v and a secret key s of the prover 

14 computer, and whereby a relation is verified between the 

15 prover computer and each of multiple verifier computers, 

16 the user authentication program permitting the prover 

17 computer to perform: a process for generating a random 

18 number a and for obtaining a cryptogram A = the function 

19 F(g, a), and for transmitting the cryptogram A to the 

20 verifier computers; a process for receiving cryptograms 

21 B and X from the verifier computer, and for employing 

22 the cryptograms to determine whether a relation a 

23 cryptogram X = the function F (B, a) has been 

24 established; a process for generating a random number c 

25 when the relation has been established; and a process 

26 for obtaining a cryptogram C = the function F(g, c) and 

27 a cryptogram Y = the function F(B, c) , or a cryptogram C 
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1 = the function F(A, c) , a cryptogram Y = the function 

2 F(X, c) and a cryptogram Z = the function H(a, Y, s) ; 

3 and a process for transmitting the cryptograms C and Y, 

4 or C, Y and Z, to the verifier computers . 

5 According to an additional aspect of the present 

6 invention, a storage medium is provided on which is 

7 stored a user authentication program, which is to be 

8 read by a prover computer, whereby a one-way function F, 

9 which should satisfy v = F(g, -s) , is determined by 

10 employing an integer g, which is defined in advance for 

11 the relation between a public key v and a secret key s 

12 of the prover computer, and whereby a relation is 

13 verified between the prover computer and each of 

14 multiple verifier computers, the user authentication 

15 program permitting the verifier computers to perform: a 

16 process for receiving a cryptogram A from the prover 

17 computer and for generating a random number b; a process 

18 for obtaining a cryptogram B = the function F(g, b) and 

19 a cryptogram X = the function F (A, b) , using the random 

20 number b and the cryptogram that is received, and for 

21 transmitting the cryptograms B and X to the prover 

22 computer; a process for receiving, from the prover 

23 computer, a cryptogram C = the function F(g, c) and a 

24 cryptogram Y = the function F(B, c) , or a cryptogram C = 

25 the function F(A, c) , a cryptogram Y - the function F(X, 

26 c) and a cryptogram Z = the function H(a, Y, s) ; and a 

27 process, based on the cryptograms C and Y or C, Y and Z 

28 that are received, for verifying a relation between the 

29 verifier computer and the prover computer when two 
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relations of the cryptogram Y = the function F(C, b) and 
the cryptogram A = the function J(v f Y, g, Z) are 
established at the same time. 



According to a further aspect of the present invention, 
a user authentication apparatus is provided for a prover 
computer, wherein a one-way function F, which should 
satisfy v = F(g, -s) , is determined by employing an 
integer g, which is defined in advance, for a relation 
between a public key v and a secret key s of the prover 
computer, and wherein a relation is verified between the 
prover computer and each of multiple verifier computers, 
the user authentication apparatus comprising: 
transmission means, for generating a random number a and 
obtaining a cryptogram A = the function F(g, a), and for 
transmitting the obtained cryptogram A to the verifier 
computers; reception means, for receiving cryptograms B 
and X from the verifier computers; verification means, 
for employing the cryptograms B and X to determine 
whether a relation of the cryptogram X = the function 
F(B, a) has been established; cryptogram computation 
means, for generating a random number c when it has been 
ascertained that the relation has been established, and 
for obtaining a cryptogram C = the function F(g, c) and 
a cryptogram Y = the function F(B, c) , or a cryptogram C 
= the function F(A, c) , a cryptogram Y = the function 
F(X, c) and a cryptogram Z = the function H(a, Y, s); 
and cryptogram transmission means, for transmitting the 
cryptograms C and Y or C, Y and Z to the verifier 
computers . 
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1 According to a still further aspect of the prevent 

2 invention, a user authentication apparatus is provided 

3 for a prover computer wherein a one-way function F, 

4 which should satisfy v = F(g, -s), is determined by 

5 employing an integer g, which is defined in advance, for 

6 the relation between a public key v and a secret key s 

7 of a prover computer, and wherein a relation is verified 

8 between the prover computer and each of multiple 

9 verifier computers, the user authentication apparatus 

10 comprising: reception means, for receiving a cryptogram 

11 A from the prover computer; transmission means, for 

12 generating a random number b, and for employing the 

13 random number b and the cryptogram A that is received to 

14 obtain a cryptogram B = the function F(g, b) and a 

15 cryptogram X = the function F(A, b) , and for 

16 transmitting the cryptograms B and X to the prover 

17 computer; cryptogram reception means, for receiving from 

18 the prover computer a cryptogram C = the function F(g, 

19 c) and a cryptogram Y = the function F(B, c) or a 

20 cryptogram C = the function F(A, c) , a cryptogram Y = 

21 the function F(X, c) , and a cryptogram Z = the function 

22 H(a, Y, s); and verification means, for performing a 

23 procedure, based on the cryptograms C, Y and Z that are 

24 received, for verifying a relation between the verifier 

25 computers and the prover computer when two relations of 

26 the cryptogram Y = the function F(C, b) and the 

27 cryptogram A = the function J(v, Y, g, Z) are 

28 established at the same time. 
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1 According to yet one more aspect of the present 

2 invention, a user authentication system comprises: the 

3 above described user authentication apparatus for the 

4 prover computer; and a plurality of the above described 

5 user authentication apparatuses for the verifier 

6 computers. 

7 According to yet another aspect of the present 

8 invention, a user authentication system, wherein a 

9 one-way function F, which should satisfy v = F(g, -s) , 

10 is determined by employing an integer g, which is 

11 defined in advance, for the relation between a public 

12 key v and a secret key s of a prover computer, and 

13 wherein a relation is verified between the prover 

14 computer and each of multiple verifier computers, 

15 comprises: transmission means, for the prover computer, 

16 for generating a random number a and obtaining a 

17 cryptogram A = the function F(g, a), and for 

18 transmitting the obtained cryptogram A to the verifier 

19 computers; reception means for the verifier computers, 

20 for receiving the cryptogram A from the prover computer; 

21 transmission means for the verifier computers, for 

22 generating a random number b with which the cryptogram A 

23 is employed to obtain a cryptogram B = the function F(g, 

24 b) and a cryptogram X = the function F (A, b) , and for 

25 transmitting the cryptograms B and X to the prover 

26 computer; reception means for the prover computer, for 

27 receiving the cryptograms B and X from the verifier 

28 computers; verification means for the prover computer, 

29 for employing the cryptograms B and X to determine 
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1 whether a relation of the cryptogram X = the function 

2 F(B, a) has been established; cryptogram computation 

3 means for the prover computer, for generating a random 

4 number c when it is ascertained that the relation has 

5 been established, and for obtaining the cryptogram C = 

6 the function F(g, c) and the cryptogram Y = the function 

7 F(B, c) , or the cryptogram C = the function F(A, c) and 

8 the cryptogram Y = the function F(X, c) , and a 

9 cryptogram Z = the function H(a, Y, s) ; and cryptogram 

10 transmission means for the prover computer, for 

11 transmitting the cryptograms C, Y and Z to the verifier 

12 computers; cryptogram reception means, for the verifier 

13 computers, for receiving the cryptograms C, Y and Z from 

14 the prover computer; and verification means for the 

15 verifier computers, for employing the cryptograms C, Y 

16 and Z that are received to verify a relation between the 

17 verifier computers and the prover computer when two 

18 relations of the cryptogram Y = the function F(C, b) and 

19 the cryptogram A = the function J (v, Y, g, Z) are 

20 established at the same time. 

21 Preferred Embodiment 

22 The preferred embodiment of the present invention will 

23 now be described while referring to the accompanying 

24 drawings. In this embodiment, the invention is applied 

25 for a case wherein a public key v and a secret key s are 

26 used for user authentication on a network. 

27 The present invention relates to user authentication for 
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1 an asynchronous network, such as the Internet. In the 

2 asynchronous network, multiple verifiers may request a 

3 prover to execute a protocol for user authentication. 

4 That is, in this embodiment, there are multiple 

5 verifiers for one prover. 

6 In this embodiment, the following one-way function F is 

7 employed as an encryption function. Assume that the 

8 one-way function F is a two-input and one-output 

9 function, and that two calculations, addition (+) and 

10 multiplication (*) are defined by the range and a second 

11 variable range of a function . 

12 Further, the function F satisfies the following two 

13 properties . 

14 That is, for arbitrary an a and b, the following 

15 relations must be established: 

16 (1) F(g, a+b) - F(g, a)*F(g, b) 

17 (2) if A = F(g, a), F(g, a*b) = F (A, b) . 

18 Another encryption function H, which is a three-input 

19 and one-output function, is represented as follows. 

20 H(a, Y, s) = a + Y*s 

21 wherein the addition and multiplication are the ones 

22 defined in the second variable range of the function F. 

23 Furthermore, an additional encryption function J, which 

24 is a four-input and one-output function, is represented 

25 as follows using the function F. 

26 J(v, Y, g, Z) = F(v, Y) *F(g, Z) . 

27 The one-way function based on the discrete logarithm can 

28 be a specific example for the function F. As a typical 
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example, when a relation q|p-l is established for prime 
numbers p and q and when g e Zp is the element of the 
order q, 

F(g, a) = g a mod p. 

A system for which the present invention can be applied 
is shown in Fig. 2. A prover computer 10 and a verifier 
computer 40, which include at the least a CPU, and 
additional verifier computers 60 having the same 
configuration as the verifier computer 40 are connected 
to a network 32. As is shown in Fig. 2, in this 
embodiment, a one-to-multiple connection is established 
between the prover computer and the verifier computers. 

The prover computer 10 includes an input device 12, for 
entering system parameters, is connected to a random 
number generator 14, for generating a random number a in 
accordance with the input, and a memory 16. The random 
number generator 14 is connected to the memory 16 and a 
cryptogram calculator 18, for obtaining a cryptogram A 
based on the random number a. The cryptogram calculator 
18 is connected to a communication interface 
(hereinafter referred to as a communication I/F) 30, 
which in turn is connected to the network 32, to 
facilitate communications with other apparatuses via the 
network 32. A verification unit 20 is connected both to 
the communication I/F 30 and to the memory 16. A random 
number generator 22, for generating a random number c in 
accordance with the input, and a halting unit 24, for 
employing an input signal to halt a protocol that will 
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be described later, are connected to the verification 
unit 20. The random number generator 22 is connected to 
a cryptogram calculator 26, for obtaining cryptograms C 
and Y, based on the random number c. The cryptogram 
calculator 26 is connected to a cryptogram calculator 
28, for obtaining a cryptogram Z, based on the 
cryptograms C and Y. And the cryptogram calculators 26 
and 28 are connected both to the communication I/F 30 
and to the memory 16. 

The verifier computer 40 includes an input device 42, 
for entering system parameters, that is connected to a 
random number generator 44, for generating a random 
number b in accordance with the input, and a memory 46. 
The random number generator 44 is connected to the 
memory 46 and a cryptogram calculator 48, for obtaining 
cryptograms B and X based on the random number b. The 
cryptogram calculator 48 is connected to a communication 
I/F 56, which is connected to the network 32 to 
facilitate communications with other apparatuses via the 
network 32. A verification unit 50 is connected both to 
the communication I/F 56 and to the memory 46. And an 
acceptance unit 52 and a rejection unit 54 are connected 
to the output side of the verification unit 50. 

Since the verifier computer 60 has the same 
configuration as the verifier computer 40, no detailed 
explanation for it will be given. In the following 
description, wherein the verifier computer 40 is used as 
a typical configuration, the names of its individual 
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1 sections are employed. 

2 The protocol for this embodiment will now be described. 

3 It should be noted that the system parameter is a 

4 function F g , the public key of a prover is v = F(g, -s) , 

5 and the secret key of the prover is s. 

6 Protocol 

7 Step 1: 

8 A prover generates the random number a using the random 

9 number generator 14, obtains a cryptogram A = F(g, a) 

10 using the cryptogram calculator 18, and transmits the 

11 cryptogram A to verifiers via the communication I/F 30. 

12 Step 1 corresponds to a process Psl, which is performed 

13 by the prover computer 10 in Fig. 1, and communication 

14 Tl, which is transmitted as a result of the process Psl. 

15 Step 2: 

16 The verifier generates the random number b using the 

17 random number generator 44, and employs the received 

18 cryptogram A to obtain a cryptogram B = F(g, b) and a 

19 cryptogram X = F (A, b) . The verifier then transmits the 

20 obtained cryptograms B and X to the prover via the 

21 communication I/F 30 . 

22 Step 2 corresponds to a process Qsl, which is performed 

23 after the verifier computer 40 in Fig. 1 has received 

24 the data accompanying the communication Tl, and to 

25 communication T2, which is transmitted as a result of 
2 6 the process Qsl . 
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1 Step 3: 

2 Based on the received cryptograms B and X, the prover 

3 employs the verification unit 20 to determine whether X 

4 = F(B, a) has been established for the verifier. If X = 

5 F(B, a) has not been established for the verifier, the 

6 prover ascertains that the verifier performed an illegal 

7 activity, and halts the performance of the protocol 

8 procedures using the halting unit 24. If, however, X = 

9 F(B, a) has been established for the verifier, the 

10 prover generates the random number c and obtains C = 

11 F(g, c) and Y = F(B, c) , or alternately, obtains C - 

12 F (A, c) and Y = F(X, c) . Afterwards, Z = H(a, Y, s) , 

13 i.e., Z = a -f Y*s is calculated, and then the obtained 

14 cryptograms C, Y and Z are transmitted to the verifier. 

15 Step 3 corresponds to a process Ps2, which is performed 

16 after the prover computer 10 in Fig. 1 has received the 

17 data accompanying the communication T2, and to 

18 communication T3, which is transmitted because the 

19 relation X = F(B, a) was verified by the verification 

20 unit 20 during the process Ps2. 

21 Step 4: 

22 Based on the received cryptograms C, Y and Z, the 

23 verifiers uses the verification unit 50 to determine 

24 whether Y = F(c, b) and A - J(v, Y, g, Z), i.e., A = 

25 F(v, Y)*F(g, Z), have been established. If the two 

26 relations have been established, the verifier accepts 

27 the identity of the prover (the acceptance unit 52 is 

28 activated) . If, however, the two relations have not 
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1 been established, the verifier rejects the identity of 

2 the prover (the rejection unit 54 is activated) . 

3 Step 4 corresponds to a process Qs2 performed after the 

4 verifier computer 40 in Fig. 1 has received the data 

5 accompanying the communication T3. 

6 The above protocol can be stored as a program, for use 

7 by the prover and the verifiers, on a storage medium, 

8 such as a floppy disk. In this case, only a detachable 

9 floppy disk unit (FDU) need be connected to the 

10 individual computers to enable the program to be read 

11 from the floppy disk and executed . 

12 A processing program may be stored (installed) in a RAM, 

13 or at another storage area (e.g., on a hard disk) in the 

14 computer, and executed, or it may be stored in a ROM in 

15 advance. A storage medium, a disk such as a CD-ROM, an 

16 MD, an MO or a DVD, or a magnetic tape such as a DAT, 

17 may also be used, but when one of these media is 

18 employed, a corresponding device, such as a CD-ROM 

19 drive, an MD drive, an MO drive, a DVD drive or a DAT 
2 0 drive must be provided . 

21 Specific Example : 

22 A specific example of user authentication for which the 

23 above described protocol is employed will now be 

24 described. In the following example, when prime numbers 

25 p and q (q|p - 1) and the element g of the order q are 

26 employed as system parameters, v = F(g, -s) = g~ s mod p 

27 is employed as the function F. That is, the same key 



DOCKET NUMBER: JP919990280US1 



-19 



1 configuration as that provided by the Schnorr method can 

2 be employed. Further, the function H is defined as H(a, 

3 Y, s) - a + Y s mod q, and the function J is defined as 

4 J(v, Y, g, Z) - v Y g z mod p. 

5 Key configuration] 

6 System parameters: prime numbers p and q (q|p - 1) and 

7 the element g of the order q 

8 Public key of a prover: v = g~ s mod p 

9 Secret key of a prover : s e Zq 

10 Protocol] 

11 Step 1: The prover generates the random number a, 

12 acquires a cryptogram A and transmits the cryptogram A 

13 to the verifier. 

14 a e Zq ... (1) 

15 A - g a mod p ... (2) 

16 That is, at the prover computer 10, the random number 

17 generator 14 employs the system parameter q to generate 

18 the random number a, in accordance with expression (1), 

19 and the cryptogram calculator 18 employs the random 

20 number a and the system parameters p and q to obtain the 

21 cryptogram A, in accordance with expression (2) . The 

22 obtained cryptogram A is then output through the 

23 communication I/F 30, and is transmitted, via the 

24 network 32, to the verifier computer 40. 

25 Step 2: The verifier generates the random number b, 

26 obtains cryptograms B and X, and transmits the 

27 cryptograms B and X to the prover. 
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1 



b e Zq 

B = g b mod p 

X = A b mod p 



. . . (3) 



2 



. . . (4) 



3 



. . . (5) 



4 That is, at the verifier computer 40, the cryptogram 

5 calculator 48 receives the cryptogram A, generated by 

6 the prover computer 10, via the communication I/F 56. 

7 At this time, the random number generator 44 of the 

8 verifier computer 40 employs the system parameter q to 

9 generate the random number b, in accordance with 

10 expression (3) . The cryptogram calculator 48 then 

11 employs the random number b and the received cryptogram 

12 A to obtain the cryptograms B ^and X, in accordance with 

13 expressions (4) and (5), and the obtained cryptograms B 

14 and X are output through the communication I/F 56 and 

15 are transmitted, via the network 32, to the prover 

16 computer 10 . 

17 Step 3: The prover employs the cryptograms B and X to 

18 determine whether the following expression (6) has been 

19 established. If expression (6) has not been 

20 established, the prover assumes that the verifier 

21 performed an illegal activity and halts the protocol. 

22 If, however, expression (6) has been established, the 

23 prover generates the random number c and obtains 

24 cryptograms C and Y. Thereafter, a cryptogram Z is 

25 acquired, and the cryptograms C, Y and Z are transmitted 

26 to the verifier. 



27 



X = B a mod p 



. . . (6) 



28 



c e Zq 



- - . (7) 
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1 



C = g c mod p 
Y = B c mod p 
or C = A c mod p 



(8) 



2 



(9) 



3 



(10) 



4 



Y = X c mod p 
Z = a + Y s mod q 



(ID 



5 



(12) 



6 Specifically, at the prover computer 10 the verification 

7 unit 20 receives the cryptograms B and X from the 

8 verifier computer 40 via the communication I/F 30, and 

9 employs the cryptograms B and X that are received and 

10 the system parameters stored in the memory 16 to examine 

11 the cryptograms B and X, in accordance with expression 

12 (6). 

13 If expression (6) has not been established, the 

14 verification unit 20 transmits a signal to the halting 

15 unit 24 to halt the performance of the protocol 

16 procedures. When expression (6) has been established, 

17 however, the verification unit 20 outputs a signal to 

18 the random number generator 22 to generate the random 

19 number c at the random number generator 44 based on the 

20 system parameter q, following which the random number c 

21 is transmitted to the cryptogram calculator 26, which 

22 employs the random number c, the received cryptogram B 

23 and the system parameters p and g to obtain cryptograms 

24 C and Y, in accordance with expressions (8) and (9), or 

25 (10) and (11) . Then, in accordance with expression 

26 (12), the cryptogram calculator 26 obtains a cryptogram 

27 Z using the obtained cryptogram Y, the random number a, 

28 the secret key s and the system parameter q, and 

29 thereafter, the cryptograms C, Y and Z are output 

30 through the communication I/F 30, and are transmitted, 
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1 via the network 32, to the verifier computer 40. 

2 Step 4: The verifier determines whether the following 

3 expressions (13) and (14) have been established. If the 

4 two expressions have been established, the verifier 

5 accepts the identity of the prover. Otherwise, the 

6 verifier rejects the identity of the prover. 

7 Y = C b mod p ... (13) 

8 A = v Y g z mod p ... (14) 

9 Specifically, in the verifier computer 40, the 

10 verification unit 50 receives the cryptograms C, Y and Z 

11 from the prover computer 10 via the communication I/F 

12 56. Then, in accordance with expressions (13) and (14), 

13 the verification unit 50 examines the cryptograms C, Y 

14 and Z using the system parameters stored in the memory 

15 46. 

16 When expressions (13) and (14) have not been 

17 established, the verification unit 50 activates the 

18 rejection unit 54 to reject the identity of the prover. 

19 When, however, the expressions (13) and (14) have been 

20 established, the verification unit 50 activates the 

21 acceptance unit 52 to accept the identity of the prover. 

22 In this embodiment, user authentication can be completed 

23 through the exchange of only three communications by the 

24 prover and the verifier, and the quantity of the 

25 communications contributes to the prime numbers p and q. 

26 According to this embodiment, the number of 

27 communications is |p|, using the cryptogram A 

28 accompanying communication Tl, 2|p|, using the 



DOCKET NUMBER : JP919990280US1 



-23 



cryptograms B and X accompanying communication T2, and 
2|p| and |q|, using the cryptograms C, Y and Z 
accompanying communication T3 (see Fig. 1). Therefore, 
a total of only 5|p| + |q| communications is required. 
Further, as is apparent from the above expressions, this 
contributes greatly to the reduction of the load imposed 
by the calculation of powers. Since only six such 
calculations are required, an efficient protocol is 
provided . 

In this example, communication between one prover and a 
single verifier (one verifier) has been employed. 
However, on an asynchronous network, such as the 
Internet, the authentication of the identity of a prover 
must be accomplished by multiple verifiers. In this 
embodiment, when individual verifiers are in any of the 
communication states corresponding to communication Tl 
to communication T3 (see Fig. 1), secrecy can be 
maintained; a secret key will not be compromised even 
when the cryptograms A, B, C, X, Y and Z that are 
transmitted are trapped en route and analyzed. This 
will be explained later in detail. Therefore, even when 
multiple verifiers must simultaneously or sequentially 
be permitted to examine the identity of a prover, the 
user authentication process can be precisely performed 
for each of the multiple verifiers. Thus, when multiple 
verifiers are permitted to examine the identity of a 
prover via an asynchronous network, such as the 
Internet, the user authentication process can be 
performed safely. 
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1 In the above example, the power calculation for Zp is 

2 employed as a specific one-way function F, and is a 

3 so-called one-way function based on a discrete 

4 logarithm. However, the present invention is not 

5 limited to this problem; while N is a composite number, 

6 the discrete logarithm for ZN may be employed, or the 

7 discrete logarithm for an elliptic curve may be 

8 employed. 

9 Validity of protocol] 

10 The validity of the protocol for this embodiment will 

11 now be described. Specifically, an explanation will be 

12 given based on the above Specific example wherein it is 

13 shown that the zero knowledge property is achieved, even 

14 when the protocol for this embodiment is applied for an 

15 asynchronous network. Whereas it is well known that the 

16 zero knowledge property is not achieved when the 

17 protocol mentioned in the description of the background 

18 art ("Concurrent Zero-Knowledge", C. Dwork, M. Naor and 

19 A. Shai, Proc. Of 30th STOC, 1998) is applied for an 

20 asynchronous network. 

21 On an asynchronous network, a plurality of illegal 

22 verifiers (VI, V2, ... and Vn) may enter into a 

23 conspiracy with each other to communicate with a prover 

24 P. Therefore, it is not sufficient to consider the 

25 achievement of the zero knowledge property for 

26 communications between a prover P and a single verifier 

27 V. In other words, the zero knowledge property for 

28 communications between a prover P and multiple verifiers 
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1 VI to Vn must be taken into account. 

2 In the authentication process in this embodiment , it is 

3 proved that the information that can be obtained through 

4 communication, in accordance with the proposed protocol, 

5 with the prover P by multiple illegal verifiers VI to 

6 Vn, who have entered into a conspiracy with each other, 

7 can be obtained without the communication with the 

8 prover P. Specifically, it is proved for arbitrary 

9 illegal verifiers VI to Vn, there is an algorithm S 

10 (simulator) such that the probability distribution of 

11 the output of S matches the one of the contents of the 

12 actual communications exchanged by the prover P and each 

13 verifier VI to Vn . In this embodiment, this proof is 

14 represented as "the algorithm S simulates the contents 

15 of the actual communication between the prover P and 

16 each verifier VI to Vn". 

17 Conspiracy of verifiers] 

18 It may be assumed that, without losing generality, the 

19 illegal verifiers VI to Vn in a conspiracy communicate 

20 with the prover P in the following manner. The 

21 verifiers VI to Vn are sorted into groups Gl, G2, . . . 

22 and Gm (m ^ n) . Intuitively, it is assumed that a 

23 verifier who belongs to the group G x communicates with 

24 the prover P based on information obtained by a verifier 

25 who belongs to the group Gi-i- 

26 Generalized conspiracy protocol] 

27 The input data are employed as the public key for the 
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1 prover P and as the system parameters (p, q, g, v) . 

2 Step 1: The prover P calculates cryptograms Al = g al , A2 

3 = g a2 , . . . and An = g an mod p, and transmits the obtained 

4 cryptograms Al, A2, ... and An to the respective 

5 verifiers VI, V2, . . . and Vn. 

6 The information obtained by the verifiers VI to Vn is 

7 VIEW 0 = { (p, g, g, v) , (Al, A2 , . .., An)}. 

8 Step 2-1-P: All the verifiers Vi who belong to the group 

9 Gl employ the received cryptograms Al to An to generate 

10 a random number bi e Zq, and obtain cryptograms Bi (= g bi 

11 mod p) and Xi (= Ai bl mod p) . The verifiers Vi then 

12 transmit the obtained cryptograms Bi and Xi to the 

13 prover P. 

14 Step 2-1-V: The prover P examines each i that satisfies 

15 Vi e Gi to determine whether the authentication 

16 expression (Xi = B ai mod p) has been established. 

17 If the authentication expression has been established, 

18 the prover P transmits the cryptograms Ci, Yi and Zi to 

19 the verifiers Vi. 

20 At this time, the information obtained by the verifiers 

21 is VIEWi = VIEW 0 U { (Bi, Xi, Ci, Yi, Zi) | Vi e Gl}. 

22 Then, steps 2-k-P and 2-k-V are repeated for 2 ^ k ^ n. 

23 Step 2-k-P: All the verifiers Vi who belong to the group 

24 Gk employ the obtained information VIEW k _i to generate a 
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1 random number bi e Zq, and obtain cryptograms Bi (= g bi 

2 mod p) and Xi (= Ai bi mod p) . The verifiers Vi then 

3 transmit the obtained cryptograms Bi and Xi to the 

4 prover P. 

5 Step 2-k-V: The prover P examines each i that satisfies 

6 Vi e Gk to determine whether the authentication 

7 expression (Xi = B ai mod p) has been established. 



8 If the authentication expression has been established, 

9 the prover P transmits the cryptograms Ci, Yi and Zi to 

10 the verifiers Vi . 

11 At this time, the information obtained by the verifiers 

12 is VIEW k = VIEW k _i U { (Bi, Xi, Ci, Yi, Zi) | Vi e Gk} . 

13 As a result, the information finally obtained by the 

14 verifiers who are members of the conspiracy is 

15 VIEW n = { (p, q, g, v) , 

16 (Al, A2, . . . , An) , 

17 (BI, B2, . . . , Bn) , 

18 (XI, X2, , . . , Xn) , 

19 (CI, C2, . . . , Cn) , 

20 (YI, Y2, . . . , Yn) , 

21 (ZI, Z2, . . . , Zn) } . 

22 Assumption of calculation amount for conspiracy] 

23 In order to establish xi = B ai mod p for each i at the 

24 step 2-k-V, the verifiers Vi use a random number bi e Zq 

25 to calculate Bi = g bl mod p and Xi = Ai bi mod p. In other 

26 words, it is presumed that each verifier Vi knows the 
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1 value of the random number bi. This assumption can be 

2 formally described as follows. 

3 b-awareness assumption: hereinafter referred to as BAA] 

4 At steps 2-1-V, 2-2-V, . . . and 2-n-V, relative to an 

5 arbitrary verifier Vi, there is another verifier Vi f who 

6 outputs not only the cryptograms Bi and Xi, but also 

7 outputs the value of the random number bi - 

8 Configuration of simulator] 

9 When the simulator S is constructed as follows, the zero 

10 knowledge property can be achieved under the BAA. The 

11 simulator S employs the verifiers (VI 1 , V2 1 , ... and 

12 Vn T ) as sub-routines, and can thus employ the individual 

13 random numbers bi. 

14 Algorithm of simulator] 

15 Input: public key v, system parameters p, q and g 

16 Output: VIEW n = { (p, g, g, v) , 



17 


(Al, 


A2, . 


. . , An) , 


18 


(BI, 


B2, . 


• • , Bn) , 


19 


(XI, 


X2, . 


. . , Xn) , 


20 


(CI, 


C2, . 


• • , Cn) , 


21 


(Yl, 


Y2, . 


• • , Yn) , 


22 


(Zl, 


Z2, . 


. . , Zn) } 



23 Step 1: For all "i"s (1 ^ i ^ n) , random numbers Yi e Zq 

24 and Zi € Zq are generated, and Ai = V Yi g Zl is calculated. 
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1 At this time, the simulation information produced by the 

2 simulator S is 

3 VIEW 0 = [(p, q, g, v) , (Al, A2, . .., An)]. 

4 Step 2-1-P: The simulator S executes all the verifiers 

5 Vi (Vi 1 ) who belong to the group Gl. That is, VIEW 0 is 

6 input for each verifier Vi 1 , and (Bi, Xi, bi) are 

7 calculated. At this time, Bi = g bl mod p is established. 

8 Step 2-1-V: Ci that satisfies Yi = Ci bl mod p is 

9 calculated. At this time, the simulation information 

10 produced by the simulator S is 

11 VIEWi - VIEW 0 U { (Bi, Xi, Ci, Yi, Zi) | Vi e Gl}. 

12 Then, steps 2-k-P and 2-k-V are repeated for 2 ^ k ^ n. 

13 Step 2-k-P: The simulator S executes all the verifiers 

14 Vi (Vi T ) who belong to the group Gk. That is, VIEW k -i is 

15 input to each verifier Vi 1 , and (Bi, Xi, bi) are 

16 calculated. At this time, Bi = g bi mod p. 

17 Step 2-k-V: Ci that satisfies Yi = Ci bi mod p is 

18 calculated. At this time, the information simulated by 

19 the simulator S is VIEW k - VIEW k _i U I {(Bi, Xi, Ci, Yi, 

20 Zi) | Vi g G k } . 

21 The communication contents VIEW n , which are finally to be 

22 simulated, match the probability distribution of the 

23 actual communication contents between the prover P and 

24 the verifiers VI, V2, ... and Vn. Therefore, the zero 

25 knowledge property is achieved. 
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1 Advantages of the Invention] 

2 As is described above, according to the present 

3 invention, the secret key of a prover computer is not 

4 compromised by the information exchanged by the prover 

5 computer and a verifier computer, and user 

6 authentication is ensured. 

7 Especially when on an asynchronous network, such as the 

8 Internet, a prover computer receives data required for 

9 authentication as well as verification from multiple 

10 verifiers, the zero knowledge property is acquired. 

11 Thus, user authentication is ensured without the secret 

12 key of a prover computer being compromised on any kind 

13 of network. 

14 The present invention can be realized in hardware, 

15 software, or a combination of hardware and software. The 

16 present invention can be realized in a centralized fashion 

17 in one computer system, or in a distributed fashion where 

18 different elements are spread across several 

19 interconnected computer systems. Any kind of computer 

20 system - or other apparatus adapted for carrying out the 

21 methods described herein - is suitable. A typical 

22 combination of hardware and software could be a general 

23 purpose computer system with a computer program that, when 

24 being loaded and executed, controls the computer system 

25 such that it carries out the methods described herein. The 
2 6 present invention can also be embedded in a computer 

27 program product, which comprises all the features enabling 

28 the implementation of the methods described herein, and 
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1 which - when loaded in a computer system - is able to 

2 carry out these methods. 

3 Computer program means or computer program in the present 

4 context mean any expression,, in any language, code or 

5 notation, of a set of instructions intended to cause a 

6 system having an information processing capability to 

7 perform a particular function either directly or after 

8 conversion to another language, code or notation and/or 

9 reproduction in a different material form. 

10 It is noted that the foregoing has outlined some of the 

11 more pertinent objects and embodiments of the present 

12 invention. This invention may be used for many 

13 applications. Thus, although the description is made for 

14 particular arrangements and methods, the intent and 

15 concept of the invention is suitable and applicable to 

16 other arrangements and applications. It will be clear to 

17 those skilled in the art that other modifications to the 

18 disclosed embodiments can be effected without departing 

19 from the spirit and scope of the invention. The 

20 described embodiments ought to be construed to be merely 

21 illustrative of some of the more prominent features and 

22 applications of the invention. Other beneficial results 

23 can be realized by applying the disclosed invention in a 

24 different manner or modifying the invention in ways known 

25 to those familiar with the art. 
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1 Claims: 

2 Claim 1 

3 A user authentication method, whereby a one-way function 

4 F, which should satisfy v = F(g, -s) , is determined by 

5 employing an integer g that is defined in advance for a 

6 relation between a public key v and a secret key s of a 

7 prover computer, and whereby a relation is verified 

8 between said prover computer and each of multiple 

9 verifier computers, comprising the steps of: 

10 said prover computer generating a random number a, 

11 obtaining a cryptogram A = the function F(g, a), and 

12 transmitting said cryptogram A to said verifier 

13 computers; 

14 said verifier computers generating a random number 

15 b, obtaining a cryptogram B = the function F(g, b) and a 

16 cryptogram X = the function F(A, b) , and transmitting 

17 said cryptograms B and X to said prover computer; 

18 said prover computer determining whether a relation 

19 of said cryptogram X = the function F(B, a) has been 

20 established and generating a random number c when said 

21 relation has been established, obtaining a cryptogram C 

22 = the function F(g, c) and a cryptogram Y = the function 

23 F(B, c) , or a cryptogram C = the function F(A, c) , a 

24 cryptogram Y = the function F(X, c) and a cryptogram Z = 

25 a function H(a, Y, s), and transmitting said cryptograms 

26 C and Y or said cryptograms C, Y and Z to said verifier 

27 computers; and 

28 said verifier computers, when said cryptogram Y = 

29 the function F(C, b) and said cryptogram A = a function 
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1 J(v, Y, g, Z) are established, determining that said 

2 relation between said prover computer and said verifier 

3 computer is correct. 

4 Claim 2 

5 The user authentication method according to claim 1, 

6 wherein said public key v is obtained by employing prime 

7 numbers p and q that satisfy (q|p - 1), and by defining 

8 an element of the order q as said integer g. 

9 Claim 3 

10 The user authentication method according to claim 1, 

11 wherein, by using said public key v and said secret key 

12 s, said function F acquires a relation v = F(g, -s) = g" s 

13 mod p. 

14 Claim 4 

15 The user authentication method according to claim 1, 

16 wherein, when a relation X = B a mod p is established, 

17 said prover computer generates said random number c. 

18 Claim 5 

19 The user authentication method according to claim 1, 

20 wherein said function H has a relation H(a, Y, s) = a + 

21 Ys mod q. 

22 Claim 6 

23 The user authentication method according to claim 1, 

24 wherein said function J has a relation J(v, Y, g, Z) = 

25 v Y g s mod p. 
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1 Claim 7 

2 A storage medium on which a user authentication program, 

3 which is to be read by a prover computer, is stored 

4 whereby a one-way function F, which should satisfy v = 

5 F(g, -s) , is determined by employing an integer g, which 

6 is defined in advance for the relation between a public 

7 key v and a secret key s of said prover computer, and 

8 whereby a relation is verified between said prover 

9 computer and each of multiple verifier computers, said 

10 user authentication program permitting said prover 

11 computer to perform: 

12 a process for generating a random number a and for 

13 obtaining a cryptogram A = the function F(g, a), and for 

14 transmitting said cryptogram A to said verifier 

15 computers; 

16 a process for receiving cryptograms B and X from 

17 said verifier computer, and for employing said 

18 cryptograms to determine whether a relation a cryptogram 

19 X = the function F (B, a) has been established; 

20 a process for generating a random number c when 

21 said relation has been established; and 

22 a process for obtaining a cryptogram C = the 

23 function F(g, c) and a cryptogram Y = the function F(B, 

24 c) , or a cryptogram C = the function F(A, c) , a 

25 cryptogram Y = the function F(X, c) and a cryptogram Z = 

26 the function H(a, Y, s); and 

27 a process for transmitting said cryptograms C and 

28 Y, or C, Y and Z, to said verifier computers. 
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1 Claim 8 

2 A storage medium on which a user authentication program, 

3 which is to be read by a prover computer, is stored 

4 whereby a one-way function F, which should satisfy v = 

5 F(g f -s) , is determined by employing an integer g, which 

6 is defined in advance for the relation between a public 

7 key v and a secret key s of said prover computer, and 

8 whereby a relation is verified between said prover 

9 computer and each of multiple verifier computers, said 

10 user authentication program permitting said verifier 

11 computers to perform: 

12 a process for receiving a cryptogram A from said 

13 prover computer and for generating a random number b; 

14 a process for obtaining a cryptogram B = the 

15 function F(g, b) and a cryptogram X = the function F (A, 

16 b) , using said random number b and said cryptogram that 

17 is received, and for transmitting said cryptograms B and 

18 X to said prover computer; 

19 a process for receiving, from said prover computer, 

20 a cryptogram C = the function F(g, c) and a cryptogram Y 

21 = the function F(B, c) , or a cryptogram C = the function 

22 F(A, c) , a cryptogram Y = the function F(X, c) and a 

23 cryptogram Z = the function H(a, Y, s) ; and 

24 a process, based on said cryptograms C and Y or C, 

25 Y and Z that are received, for verifying a relation 

26 between said verifier computer and said prover computer 

27 when two relations of said cryptogram Y = the function 

28 F(C, b) and said cryptogram A = the function J(v, Y, g, 

29 Z) are established at the same time. 
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1 Claim 9 

2 A user authentication apparatus for a prover computer, 

3 wherein a one-way function F, which should satisfy v = 

4 F(g, -s), is determined by employing an integer g, which 

5 is defined in advance, for a relation between a public 

6 key v and a secret key s of said prover computer, and 

7 wherein a relation is verified between said prover 

8 computer and each of multiple verifier computers, said 

9 user authentication apparatus comprising: 

10 transmission means, for generating a random number 

11 a and obtaining a cryptogram A = the function F(g, a), 

12 and for transmitting said obtained cryptogram A to said 

13 verifier computers; 

14 reception means, for receiving cryptograms B and X 

15 from said verifier computers; 

16 verification means, for employing said cryptograms 

17 B and X to determine whether a relation of said 

18 cryptogram X = the function F(B, a) has been 

19 established; 

20 cryptogram computation means, for generating a 

21 random number c when it has been ascertained that said 

22 relation has been established, and for obtaining a 

23 cryptogram C = the function F(g, c) and a cryptogram Y = 

24 the function F(B, c) , or a cryptogram C = the function 

25 F (A, c) , a cryptogram Y = the function F(X, c) and a 

26 cryptogram Z = the function H(a, Y, s) ; and 

27 cryptogram transmission means, for transmitting 

28 said cryptograms C and Y or C, Y and Z to said verifier 

29 computers. 
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1 Claim 10 

2 A user authentication apparatus for a prover computer 

3 wherein a one-way function F, which should satisfy v - 

4 F(g, -s), is determined by employing an integer g, which 

5 is defined in advance, for the relation between a public 

6 key v and a secret key s of a prover computer, and 

7 wherein a relation is verified between said prover 

8 computer and each of multiple verifier computers, said 

9 user authentication apparatus comprising: 

10 reception means, for receiving a cryptogram A from 

11 said prover computer; 

12 transmission means, for generating a random number 

13 b, and for employing said random number b and said 

14 cryptogram A that is received to obtain a cryptogram B = 

15 the function F(g, b) and a cryptogram X = the function 

16 F (A, b) , and for transmitting said cryptograms B and X 

17 to said prover computer; 

18 cryptogram reception means, for receiving from said 

19 prover computer a cryptogram C = the function F(g, c) 

20 and a cryptogram Y = the function F(B, c) or a 

21 cryptogram C = the function F (A, c) , a cryptogram Y = 

22 the function F(X, c) , and a cryptogram Z = the function 

23 H(a, Y, s); and 

24 verification means, for performing a procedure, 

25 based on said cryptograms C, Y and Z that are received, 

26 for verifying a relation between said verifier computers 

27 and said prover computer when two relations of said 

28 cryptogram Y = the function F(C, b) and said cryptogram 

29 A = the function J(v, Y, g, Z) are established at the 

30 same time . 
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